[鹤城杯 2021]Middle magic

源码：

<?php
highlight_file(__FILE__);
include "./flag.php";
include "./result.php";
if(isset($_GET['aaa']) && strlen($_GET['aaa']) < 20){

    $aaa = preg_replace('/^(.*)level(.*)$/', '${1}<!-- filtered -->${2}', $_GET['aaa']);

    if(preg_match('/pass_the_level_1#/', $aaa)){
        echo "here is level 2";
        
        if (isset($_POST['admin']) and isset($_POST['root_pwd'])) {
            if ($_POST['admin'] == $_POST['root_pwd'])
                echo '<p>The level 2 can not pass!</p>';
        // START FORM PROCESSING    
            else if (sha1($_POST['admin']) === sha1($_POST['root_pwd'])){
                echo "here is level 3,do you kown how to overcome it?";
                if (isset($_POST['level_3'])) {
                    $level_3 = json_decode($_POST['level_3']);
                    
                    if ($level_3->result == $result) {
                        
                        echo "success:".$flag;
                    }
                    else {
                        echo "you never beat me!";
                    }
                }
                else{
                    echo "out";
                }
            }
            else{
                
                die("no");
            }
        // perform validations on the form data
        }
        else{
            echo '<p>out!</p>';
        }

    }
    
    else{
        echo 'nonono!';
    }

    echo '<hr>';
}

?>

level 1

aaa=%0apass_the_level_1%23

绕过方式为换行符绕过，%0a是换行符，%23是“#”符号，如果不进行编码会导致无法发送请求

level 2

sha1的强碰撞，MD5/SHA1比较漏洞 弱比较/弱碰撞、强比较、强碰撞，注意要用burpsuite进行传参

level 3

php在进行整形与字符串的弱类型比较时，会将字符串解析为“0”，故我们可以构造这样的payload  level_3={"result":"555"} 

比较的示例代码

<?php

$a = "asdf";

$b = json_decode('{"result":0}');

if ($a == $b->result){

    echo "ok\n";

}